Ssh – DES warning message when connecting to Cisco ASA via SSH

ciscoputtyrsassh

I had to replace a Cisco ASA 5510 that died.

I have everything back up and running however when I connect to the ASA via SSH (through Putty), I receive the following warning message:

"The first cipher supported by the server is single-DES, which is below the configured warning threshold. Do you want to continue with this connection?"

I have tried to solve this by recreating the security keys with the following two commands

crypto key zeroize rsa
crypto key generate rsa noconfirm

However nothing has changed. I still receive the warning message when I connect via SSH.

Best Answer

Issuing the following seems to have resolved the problem. Am I correct is assuiming that I'm now using the more secure key? I never had the "ssh version 2" command running on my ASA 5510 that died on me. Perhaps there was a stronger key originally generated on it using sparks answer?

config t
ssh version 2

Related Solutions

How to Remove Strict RSA Key Checking in SSH and Understand the Issues

Please don't delete the entire known_hosts file as recommended by some people, this totally voids the point of the warning. It's a security feature to warn you that a man in the middle attack may have happened.

I suggest you identify why it thinks something has changed, most likely an SSH upgrade altered the encryption keys due to a possible security hole. You can then purge that specific line from your known_hosts file:

sed -i 377d ~/.ssh/known_hosts

This deletes line 377 as shown after the colon in the warning:

/home/emerson/.ssh/known_hosts:377

Alternatively you can remove the relevant key by doing the following

ssh-keygen -R 127.0.0.1 (obviously replace with the server's IP)

Please DO NOT purge the entire file and ensure this is actually the machine you want to be connecting to prior to purging the specific key.

Ubuntu – Weird problem with connection from putty to ubuntu server via SSH

Can you try running plink -v and post that output?. Below I've changed the command to echo $PATH:

C:\Documents and Settings\dave>plink 10.0.1.1 -v /bin/echo $PATH
Looking up host "10.0.1.1"
Connecting to 10.0.1.1 port 22
Server version: SSH-2.0-OpenSSH_5.1p1 Debian-6ubuntu2
We claim version: SSH-2.0-PuTTY_Release_0.60
Using SSH protocol version 2
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-256
Host key fingerprint is:
ssh-rsa 2048 4a:84:5d:a8:a2:29:95:c0:4e:92:d1:38:68:e6:2b:5f
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
login as: dmo
dmo@10.0.1.1's password:
Sent password
Access granted
Opened channel for session
Started a shell/command
Server sent command exit status 0
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
Disconnected: All channels closed

Best Answer

Related Solutions

How to Remove Strict RSA Key Checking in SSH and Understand the Issues

Ubuntu – Weird problem with connection from putty to ubuntu server via SSH

Related Topic